Installing and uninstalling programs on a computer results in system wide changes. For example, new and temporary executable files are created, processes are launched, persistent system setting changes are made, etc. This is the case because the process of installing new software (or uninstalling old software) on a computer involves making system level changes, both to add the new program to the computer and to modify the environment in order to use the new program. However, the types of system changes made during the install/uninstall process are similar in nature to actions taken by malware (e.g., a virus, worm or Trojan horse) as it infects a computer. Malware also creates new and temporary executable files, launches processes, modifies system settings, etc.
In the case of the installation of legitimate software, it is desirable for the installation process to make the system level changes and install the software program for the user. However, because malware makes similar looking system changes, an installation (or uninstallation) process can easily be mistaken for malware by an anti-malware detection system (e.g., an antivirus program).
It is not desirable for an anti-malware system to classify an installation/uninstallation process as comprising malware. First of all, typically the installation/uninstallation process runs with the user's knowledge and/or permission, to install or uninstall software at the direction of the user. Even if an installation program is installing malware, it is the actual malware being installed that is malicious, not the install package itself. In other words, if an installer is used to install a virus, it is the installed executable image(s) comprising the virus that should be classified as malware, not the installer itself. The installer is merely performing its designated task of installing software, and is agnostic as to the content of the software it installs.
It would be desirable to address these issues.